Fix Timing-Allow-Origin check in ResourceTiming
Categories
(Core :: DOM: Networking, defect)
Tracking
()
| Performance Impact | none |
People
(Reporter: npm, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Steps to reproduce:
In https://github.com/web-platform-tests/wpt/pull/20320 I added a test to check the behavior landing in https://github.com/whatwg/fetch/pull/955. Essentially there are two changes:
- Same-origin check is replaced with 'response tainting' from Fetch.
- When Fetch's 'tainted origin flag' is set, having a TAO header equal to the request origin is not a valid way to pass the TAO check (instead, requires '*' or 'null').
Based on https://wpt.fyi/results/resource-timing/crossorigin-sandwich-TAO.sub.html?label=master&label=experimental this will require a change in implementation in Firefox
|
||
Comment 2•5 years ago
|
||
P3 I suppose, it's a minor security improvement. Also moving this to the Performance component as this is mostly managed there I think (even though more stuff will move into Fetch over time as the primitives get better anchored).
|
||
Comment 3•5 years ago
|
||
Marking this as [qf-] so it's not clogging up the QF-triage queue (since core::performance bugs go in the QF queue)
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Comment 4•2 years ago
|
||
I landed some patches in bug 1768583 and bug 1770001 to align the TAO check updates in spec, and I think the crossorigin-sandwich-TAO.sub.html test has been renamed to SO-XO-SO-redirect-chain-tao.https.html and we now pass it. So we are good.
Description
•